SigmaHQ/rules/linux/lnx_sudo_cve_2019_14287_user.yml

title: Sudo Privilege Escalation CVE-2019-14287
id: 7fcc54cb-f27d-4684-84b7-436af096f858
related:
    - id: f74107df-b6c6-4e80-bf00-4170b658162b
      type: derived
status: experimental
description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
author: Florian Roth
date: 2019/10/15
modified: 2021/09/14
references:
    - https://www.openwall.com/lists/oss-security/2019/10/14/1
    - https://access.redhat.com/security/cve/cve-2019-14287
    - https://twitter.com/matthieugarin/status/1183970598210412546
logsource:
    product: linux
tags:
    - attack.privilege_escalation
    - attack.t1068
    - attack.t1169 # an old one
    - attack.t1548.003
detection:
    selection_user:
        USER:
            - '#-*'
            - '#*4294967295'
    condition: selection_user
falsepositives:
    - Unlikely
level: critical